Authorization using the RBAC approach
There are different ways to authorize users in an API, but one of the most commonly used, due to its simplicity and scalability, is RBAC. The idea is to assign roles to users and then assign permissions to the roles. So, the user has a role, and the role has permissions, and the user can execute actions that the permissions allow. A simple permission system, for example, is to have two roles: regular users and administrators. Administrators can do all actions, and regular users can only execute a subset of API actions.
There are a lot of ways to define this. It can be simple, such as having a set of predefined roles, a role field in the user, and checking for the role in the API endpoints. But it can also be way more complex – for example, a system where you can create dynamic roles, have dynamically assigned permissions, and store all that information in a database. Also, you can decide that a user can belong to multiple roles simultaneously...
